Google Cloud Professional Cloud Developer — Question 121

You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a
Spanner database. You want to follow security best practices while minimizing code changes. How should you configure your application to retrieve Spanner credentials?

Answer options

• A. Configure the appropriate service accounts, and use Workload Identity to run the pods.
• B. Store the application credentials as Kubernetes Secrets, and expose them as environment variables.
• C. Configure the appropriate routing rules, and use a VPC-native cluster to directly connect to the database.
• D. Store the application credentials using Cloud Key Management Service, and retrieve them whenever a database connection is made.

Correct answer: A

Explanation

The correct answer is A because configuring service accounts and using Workload Identity allows your application to securely access Spanner without hardcoding credentials. Option B is less secure as it involves exposing credentials as environment variables. Option C does not address credential management directly, and option D, while secure, increases complexity and code changes by requiring additional key retrieval logic.